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QUESTION 1 

Which statement describes a best practice when configuring trunking on a switch port? 

A. Disable double tagging by enabling DTP on the trunk port. 

B. Enable encryption on the trunk port. 

C. Enable authentication and encryption on the trunk port. 

D. Limit the allowed VLAN(s) on the trunk to the native VLAN only. 

E. Configure an unused VLAN as the native VLAN. 

Answer: E 
QUESTION 2 

Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports? 

A. MAC spoofing attack 

B. CAM overflow attack 

C. VLAN hopping attack 

D. STP attack 

Answer: B 
QUESTION 3 

What is the best way to prevent a VLAN hopping attack? 

A. Encapsulate trunk ports with IEEE 802. 1Q. 

B. Physically secure data closets. 

C. Disable DTP negotiations. 

D. Enable BDPU guard. 

Answer: C 
QUESTION 4 

Which statement about PVLAN Edge is true? 

A. PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port. 

B. The switch does not forward any traffic from one protected port to any other protected port. 

C. By default, when a port policy error occurs, the switchport shuts down. 

D. The switch only forwards traffic to ports within the same VLAN Edge. 

Answer: B 
QUESTION 5 

If you are implementing VLAN trunking, which additional configuration parameter should be added 
to the trunking configuration? 

A. no switchport mode access 

B. no switchport trunk native VLAN 1 

C. switchport mode DTP 

D. switchport nonnegotiate 
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Answer: D 



QUESTION 6 

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a 
traffic class? (Choose three.) 



A. pass 

B. police 

C. inspect 

D. drop 

E. queue 

F. shape 



Answer: ACD 



QUESTION 7 

With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by 
the router when some of the router interfaces are assigned to a zone? (Choose three.) 



A. traffic flowing between a zone member interface and any interface that is not a zone member 

B. traffic flowing to and from the router interfaces (the self zone) 

C. traffic flowing among the interfaces that are members of the same zone 

D. traffic flowing among the interfaces that are not assigned to any zone 

E. traffic flowing between a zone member interface and another interface that belongs in a different zone 

F. traffic flowing to the zone member interface that is returned traffic 

Answer: BCD 



QUESTION 8 

Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA 
appliance interface ACL configurations? 



A. The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL. 

B. Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces. 

C. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks. 

D. The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco 
ASA appliance interfaces. 

E. The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support 
extended ACL. 



Answer: C 



QUESTION 9 

Which two options are advantages of an application layer firewall? (Choose two.) 

A. provides high-performance filtering 

B. makes DoS attacks difficult 

C. supports a large number of applications 

D. authenticates devices 

E. authenticates individuals 
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Answer: BE 
QUESTION 10 

On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used? 

A. used for SSH server/client authentication and encryption 

B. used to verify the digital signature of the IPS signature file 

C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate 
the ISR when accessing it using Cisco Configuration Professional 

D. used to enable asymmetric encryption on IPsec and SSL VPNs 

E. used during the DH exchanges on IPsec VPNs 

Answer: B 
QUESTION 11 

Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration 
Professional IPS wizard? (Choose four.) 

A. Select the interface(s) to apply the IPS rule. 

B. Select the traffic flow direction that should be applied by the IPS rule. 

C. Add or remove IPS alerts actions based on the risk rating. 

D. Specify the signature file and the Cisco public key. 

E. Select the IPS bypass mode (fail-open or fail-close). 

F. Specify the configuration location and select the category of signatures to be applied to the selected 
interface(s). 

Answer: ABDF 
QUESTION 12 

Which statement is a benefit of using Cisco IOS IPS? 

A. It uses the underlying routing infrastructure to provide an additional layer of security. 

B. It works in passive mode so as not to impact traffic flow. 

C. It supports the complete signature database as a Cisco IPS sensor appliance. 

D. The signature database is tied closely with the Cisco IOS image. 

Answer: A 
QUESTION 13 

Which description of the Diffie-Hellman protocol is true? 

A. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel. 

B. It uses asymmetrical encryption to provide authentication over an unsecured communications channel. 

C. It is used within the IKE Phase 1 exchange to provide peer authentication. 

D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though 
they are communicating over an unsecured channel. 

E. It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the 
message of the IKE exchanges. 
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Answer: D 
QUESTION 14 

Which IPsec transform set provides the strongest protection? 

A. crypto ipsec transform-set 1 esp-3des esp-sha-hmac 

B. crypto ipsec transform-set 2 esp-3des esp-md5-hmac 

C. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac 

D. crypto ipsec transform-set 4 esp-aes esp-md5-hmac 

E. crypto ipsec transform-set 5 esp-des esp-sha-hmac 

F. crypto ipsec transform-set 6 esp-des esp-md5-hmac 

Answer: C 
QUESTION 15 

Which two options are characteristics of the Cisco Configuration Professional Security Audit 
wizard? (Choose two.) 

A. displays a screen with fix-it check boxes to let you choose which potential security-related configuration 
changes to implement 

B. has two modes of operation: interactive and non-interactive 

C. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router 

D. uses interactive dialogs and prompts to implement role-based CLI 

E. requires users to first identify which router interfaces connect to the inside network and which connect to 
the outside network 

Answer: AE 
QUESTION 16 

Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image 
resilience feature? 

A. The show version command does not show the Cisco IOS image file location. 

B. The Cisco IOS image file is not visible in the output from the show flash command. 

C. When the router boots up, the Cisco IOS image is loaded from a secured FTP location. 

D. The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM. 

E. The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server. 

Answer: B 
QUESTION 17 

Which aaa accounting command is used to enable logging of the start and stop records for user 
terminal sessions on the router? 

A. aaa accounting network start-stop tacacs+ 

B. aaa accounting system start-stop tacacs+ 

C. aaa accounting exec start-stop tacacs+ 

D. aaa accounting connection start-stop tacacs+ 

E. aaa accounting commands 15 start-stop tacacs+ 
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Answer: C 



QUESTION 18 

Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 
192.168.1.10? 



A. 


access- 


ist 


101 


B. 


access- 


ist 


101 


C. 


access- 


ist 


101 


D. 


access- 


ist 


101 


E. 


access- 


ist 


101 


F. 


access- 


ist 


101 



Answer: B 



QUESTION 19 

Which location is recommended for extended or extended named ACLs? 



A. an intermediate location to filter as much traffic as possible 

B. a location as close to the destination traffic as possible 

C. when using the established keyword, a location close to the destination point to ensure that return traffic 
is allowed 

D. a location as close to the source traffic as possible 



Answer: D 



QUESTION 20 

Which statement about asymmetric encryption algorithms is true? 

A. They use the same key for encryption and decryption of data. 

B. They use the same key for decryption but different keys for encryption of data. 

C. They use different keys for encryption and decryption of data. 

D. They use different keys for decryption but the same key for encryption of data. 



Answer: C 
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